diff options
Diffstat (limited to 'policy/modules/services/rhcs.if')
-rw-r--r-- | policy/modules/services/rhcs.if | 496 |
1 files changed, 496 insertions, 0 deletions
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if new file mode 100644 index 000000000..776c57017 --- /dev/null +++ b/policy/modules/services/rhcs.if @@ -0,0 +1,496 @@ +## <summary>Red Hat Cluster Suite.</summary> + +####################################### +## <summary> +## The template to define a rhcs domain. +## </summary> +## <param name="domain_prefix"> +## <summary> +## Domain prefix to be used. +## </summary> +## </param> +# +template(`rhcs_domain_template',` + gen_require(` + attribute cluster_domain, cluster_pid, cluster_tmpfs; + attribute cluster_log; + ') + + ############################## + # + # Declarations + # + + type $1_t, cluster_domain; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + + type $1_tmpfs_t, cluster_tmpfs; + files_tmpfs_file($1_tmpfs_t) + + type $1_var_log_t, cluster_log; + logging_log_file($1_var_log_t) + + type $1_var_run_t, cluster_pid; + files_pid_file($1_var_run_t) + + ############################## + # + # Local policy + # + + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) + + manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t) + append_files_pattern($1_t, $1_var_log_t, $1_var_log_t) + create_files_pattern($1_t, $1_var_log_t, $1_var_log_t) + setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t) + manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t) + logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file }) + + manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file }) + + optional_policy(` + dbus_system_bus_client($1_t) + ') +') + +###################################### +## <summary> +## Execute a domain transition to +## run dlm_controld. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_dlm_controld',` + gen_require(` + type dlm_controld_t, dlm_controld_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t) +') + +##################################### +## <summary> +## Get attributes of fenced +## executable files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_getattr_fenced_exec_files',` + gen_require(` + type fenced_exec_t; + ') + + allow $1 fenced_exec_t:file getattr_file_perms; +') + +##################################### +## <summary> +## Connect to dlm_controld with a +## unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_dlm_controld',` + gen_require(` + type dlm_controld_t, dlm_controld_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) +') + +##################################### +## <summary> +## Read and write dlm_controld semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_dlm_controld_semaphores',` + gen_require(` + type dlm_controld_t, dlm_controld_tmpfs_t; + ') + + allow $1 dlm_controld_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) +') + +###################################### +## <summary> +## Execute a domain transition to run fenced. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_fenced',` + gen_require(` + type fenced_t, fenced_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fenced_exec_t, fenced_t) +') + +###################################### +## <summary> +## Read and write fenced semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_fenced_semaphores',` + gen_require(` + type fenced_t, fenced_tmpfs_t; + ') + + allow $1 fenced_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) +') + +#################################### +## <summary> +## Connect to all cluster domains +## with a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_cluster',` + gen_require(` + attribute cluster_domain, cluster_pid; + ') + + files_search_pids($1) + stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) +') + +###################################### +## <summary> +## Connect to fenced with an unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_fenced',` + gen_require(` + type fenced_var_run_t, fenced_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) +') + +##################################### +## <summary> +## Execute a domain transition +## to run gfs_controld. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_gfs_controld',` + gen_require(` + type gfs_controld_t, gfs_controld_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t) +') + +#################################### +## <summary> +## Read and write gfs_controld semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_gfs_controld_semaphores',` + gen_require(` + type gfs_controld_t, gfs_controld_tmpfs_t; + ') + + allow $1 gfs_controld_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) +') + +######################################## +## <summary> +## Read and write gfs_controld_t shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_gfs_controld_shm',` + gen_require(` + type gfs_controld_t, gfs_controld_tmpfs_t; + ') + + allow $1 gfs_controld_t:shm { rw_shm_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) +') + +##################################### +## <summary> +## Connect to gfs_controld_t with +## a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_gfs_controld',` + gen_require(` + type gfs_controld_t, gfs_controld_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t) +') + +###################################### +## <summary> +## Execute a domain transition to run groupd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_groupd',` + gen_require(` + type groupd_t, groupd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, groupd_exec_t, groupd_t) +') + +##################################### +## <summary> +## Connect to groupd with a unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_stream_connect_groupd',` + gen_require(` + type groupd_t, groupd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) +') + +######################################## +## <summary> +## Read and write all cluster domains +## shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_cluster_shm',` + gen_require(` + attribute cluster_domain, cluster_tmpfs; + ') + + allow $1 cluster_domain:shm { rw_shm_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) +') + +#################################### +## <summary> +## Read and write all cluster +## domains semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_cluster_semaphores',` + gen_require(` + attribute cluster_domain; + ') + + allow $1 cluster_domain:sem { rw_sem_perms destroy }; +') + +##################################### +## <summary> +## Read and write groupd semaphores. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_groupd_semaphores',` + gen_require(` + type groupd_t, groupd_tmpfs_t; + ') + + allow $1 groupd_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +') + +######################################## +## <summary> +## Read and write groupd shared memory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rhcs_rw_groupd_shm',` + gen_require(` + type groupd_t, groupd_tmpfs_t; + ') + + allow $1 groupd_t:shm { rw_shm_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +') + +###################################### +## <summary> +## Execute a domain transition to run qdiskd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`rhcs_domtrans_qdiskd',` + gen_require(` + type qdiskd_t, qdiskd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an rhcs environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`rhcs_admin',` + gen_require(` + attribute cluster_domain, cluster_pid, cluster_tmpfs; + attribute cluster_log; + type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t; + type fenced_tmp_t, qdiskd_var_lib_t; + type dlm_controld_t, foghorn_t; + ') + + allow $1 cluster_domain:process { ptrace signal_perms }; + ps_process_pattern($1, cluster_domain) + + init_startstop_service($1, $2, dlm_controld_t, dlm_controld_initrc_exec_t) + init_startstop_service($1, $2, foghorn_t, foghorn_initrc_exec_t) + + files_search_pids($1) + admin_pattern($1, cluster_pid) + + files_search_locks($1) + admin_pattern($1, fenced_lock_t) + + files_search_tmp($1) + admin_pattern($1, fenced_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, qdiskd_var_lib_t) + + fs_search_tmpfs($1) + admin_pattern($1, cluster_tmpfs) + + logging_search_logs($1) + admin_pattern($1, cluster_log) +') |